CVS commit: pkgsrc/chat/matrix-synapse

["Greg Troxel" <gdt%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   gdt
Date:           Fri Jul  1 14:22:34 UTC 2022

Modified Files:
        pkgsrc/chat/matrix-synapse: Makefile distinfo

Log Message:
chat/matrix-synapse: Update to 1.60.1

Synapse 1.61.1 (2022-06-28)
===========================

This patch release fixes a security issue regarding URL previews,
affecting all prior versions of Synapse. Server administrators are
encouraged to update Synapse as soon as possible. We are not aware of
these vulnerabilities being exploited in the wild.

Server administrators who are unable to update Synapse may use the
workarounds described in the linked GitHub Security Advisory below.

## Security advisory

The following issue is fixed in 1.61.1.

* [GHSA-22p3-qrh9-cx32](https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32)
  / [CVE-2022-31052](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31052)

  Synapse instances with the
  [`url_preview_enabled`](https://matrix-org.github.io/synapse/v1.61/usage/configuration/config_documentation.html#media-store)
  homeserver config option set to `true` are affected. URL previews of
  some web pages can lead to unbounded recursion, causing the request
  to either fail, or in some cases crash the running Synapse process.

  Requesting URL previews requires authentication. Nevertheless, it is
  possible to exploit this maliciously, either by malicious users on
  the homeserver, or by remote users sending URLs that a local user's
  client may automatically request a URL preview for.

  Homeservers with the `url_preview_enabled` configuration option set
  to `false` (the default) are unaffected. Instances with the
  `enable_media_repo` configuration option set to `false` are also
  unaffected, as this also disables URL preview functionality.

  Fixed by [fa1308061802ac7b7d20e954ba7372c5ac292333](https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333).


To generate a diff of this commit:
cvs rdiff -u -r1.54 -r1.55 pkgsrc/chat/matrix-synapse/Makefile
cvs rdiff -u -r1.38 -r1.39 pkgsrc/chat/matrix-synapse/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/chat/matrix-synapse/Makefile
diff -u pkgsrc/chat/matrix-synapse/Makefile:1.54 pkgsrc/chat/matrix-synapse/Makefile:1.55
--- pkgsrc/chat/matrix-synapse/Makefile:1.54    Thu Jun 30 11:18:06 2022
+++ pkgsrc/chat/matrix-synapse/Makefile Fri Jul  1 14:22:34 2022
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.54 2022/06/30 11:18:06 nia Exp $
+# $NetBSD: Makefile,v 1.55 2022/07/01 14:22:34 gdt Exp $
 
-DISTNAME=      matrix-synapse-1.61.0
-PKGREVISION=   2
+DISTNAME=      matrix-synapse-1.61.1
 CATEGORIES=    chat
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=matrix-org/}
 GITHUB_PROJECT=        synapse

Index: pkgsrc/chat/matrix-synapse/distinfo
diff -u pkgsrc/chat/matrix-synapse/distinfo:1.38 pkgsrc/chat/matrix-synapse/distinfo:1.39
--- pkgsrc/chat/matrix-synapse/distinfo:1.38    Thu Jun 16 12:06:25 2022
+++ pkgsrc/chat/matrix-synapse/distinfo Fri Jul  1 14:22:34 2022
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.38 2022/06/16 12:06:25 gdt Exp $
+$NetBSD: distinfo,v 1.39 2022/07/01 14:22:34 gdt Exp $
 
-BLAKE2s (matrix-synapse-1.61.0.tar.gz) = 5f568ce040edefe1469a24540027c49f5291dbf109e90db12f84b80b565d4115
-SHA512 (matrix-synapse-1.61.0.tar.gz) = 24d390bd1715c5cbc1e468c363287626e3be9da55cad98d73cdd7caaf9ccd6218a26925882367ec95fb3a82ffb5da6a6388d8e4317adde20db28ab620afe4bfc
-Size (matrix-synapse-1.61.0.tar.gz) = 7879924 bytes
+BLAKE2s (matrix-synapse-1.61.1.tar.gz) = 9e6dd03086a60972b4b6677aef4cf9895ec82a3e00d5961cd05d0431092f9b61
+SHA512 (matrix-synapse-1.61.1.tar.gz) = 5cebfa66f74b518fc3a2c818af57386c85bb7a91001de1b0378d55a667c8f2c5a506c6e77ab4954f003cae166f2da3d755b498e403b168ee7f55f0943dd870d8
+Size (matrix-synapse-1.61.1.tar.gz) = 7880431 bytes
 SHA1 (patch-pyproject.toml) = 252503c60c6c1ee1b8655f2265944d9788402bf4
 SHA1 (patch-synapse_handlers_room.py) = f9a62add7171898ec0ea76360f0a4c9969609537